Console doesn't show Right-To-Left override chars
Categories
(DevTools :: Console, defect, P3)
Tracking
(firefox102 wontfix, firefox103 wontfix, firefox104 verified)
People
(Reporter: MeowCKl, Assigned: nchevobbe)
References
(Blocks 1 open bug)
Details
Attachments
(4 files)
Screenshot.png
User Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Steps to reproduce:
Open Web Developer Tools.
Paste https://raw.githubusercontent.com/nickboucher/trojan-source/main/JavaScript/stretched-string.js .
(See https://trojansource.codes/)
Actual results:
The code is displayed as `if (accessLevel != "user") // Check if admin'
Expected results:
`if (accessLevel != "user[U+202E] [U+2066]// Check if admin[U+2069] [U+2066]") {'
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 1•2 years ago
|
||
I don't think this could be exploited though.
We have a self-xss mechanism to prevent people to paste things in the console
And if you're a developer, you should be careful executing anything in the console (as what you'd put in your js sources)
But I agree that it would be nice if we'd show those characters in the [U+xxx] form to avoid confusion
|
||
Comment 2•2 years ago
|
||
Hello! I have managed to reproduce the issue using firefox 104.0a1(2022-07-20), 103.0 and 102.0.1 on Ubuntu 22.04 and Windows 10, I will mark this issue as NEW and set a component for it in order to get our developers involved.
If it's not the right component please feel free to change it to an appropriate one.
Have a nice day!
|
|
Assignee | |
Comment 3•2 years ago
|
||
Looks like something we could handle with https://codemirror.net/5/doc/manual.html#option_specialChars
|
|
Assignee | |
Comment 4•2 years ago
|
||
it would look like the attached screenshot with the following diff
diff --git a/devtools/client/shared/sourceeditor/editor.js b/devtools/client/shared/sourceeditor/editor.js
--- a/devtools/client/shared/sourceeditor/editor.js
+++ b/devtools/client/shared/sourceeditor/editor.js
@@ -161,6 +161,7 @@ function Editor(config) {
maxHighlightLength: 1000,
// Disable codeMirror setTimeout-based cursor blinking (will be replaced by a CSS animation)
cursorBlinkRate: 0,
+ specialChars: /[\u0000-\u001f\u007f-\u009f\u00ad\u061c\u200b-\u200f\u2028\u2066\u2069\u2029\u202e\ufeff\ufff9-\ufffc]/,
};
|
|
Assignee | |
Comment 5•2 years ago
|
||
Itiel, does what's pictured in Comment 4 would be okay? I don't have much experience regarding multi-direction strings, so I'm not sure if it would cause any harm
(In reply to Nicolas Chevobbe [:nchevobbe] from comment #5)
Itiel, does what's pictured in Comment 4 would be okay? I don't have much experience regarding multi-direction strings, so I'm not sure if it would cause any harm
Thanks for flagging me!
The screenshot in comment 4 is better than nothing, but like VSCode's implementation better.
Some notes:
- The red dots don't seem to convey much to the user other than "something is there"; VSCode is explicit about what it is
- If VSCode's implementation can't be forked here somehow, hovering the red dots should at least show a tooltip with the
[U+xxx] - Regardless of #1 and #2 above, selecting the the code and copy-pasting it elsewhere should be with the markers themselves, without the dots (or the
[U+xxx]text, in the VSCode implementation) - An optional bonus to #3 above would be to allow selecting and copying the marker (in the VSCode case), only when explicitly selecting that text (as opposed to selecting the whole code in which the marker text should not be included in that selection)
|
|
Assignee | |
Comment 7•2 years ago
|
||
|
|
Assignee | |
Comment 8•2 years ago
|
||
(In reply to Itiel from comment #6)
The screenshot in comment 4 is better than nothing, but like VSCode's implementation better.
Some notes:
- The red dots don't seem to convey much to the user other than "something is there"; VSCode is explicit about what it is
- If VSCode's implementation can't be forked here somehow, hovering the red dots should at least show a tooltip with the
[U+xxx]- Regardless of #1 and #2 above, selecting the the code and copy-pasting it elsewhere should be with the markers themselves, without the dots (or the
[U+xxx]text, in the VSCode implementation)- An optional bonus to #3 above would be to allow selecting and copying the marker (in the VSCode case), only when explicitly selecting that text (as opposed to selecting the whole code in which the marker text should not be included in that selection)
We can mimick what's done in VSCode (see Comment 7)
Copying seems to copy the char, not its unicode representation
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 10•2 years ago
|
||
This adds some character (e.g. right-to-left override) to CodeMirror default list of
special characters (see https://codemirror.net/5/doc/manual.html#option_specialChar).
We also take this opportunity to show the unicode value for those, instead of the
default red dot CodeMirror provides.
|
||
Updated•2 years ago
|
|
||
Comment 11•2 years ago
|
||
|
||
Comment 12•2 years ago
|
||
Backed out for causing mochitest failures on browser_styleeditor_filesave.js
- Backout link
- Push with failures
- Failure Log
- Failure line: TEST-UNEXPECTED-FAIL | devtools/client/styleeditor/test/browser_styleeditor_filesave.js | Test timed out -
|
|
Assignee | |
Comment 13•2 years ago
|
||
fix attempt: https://treeherder.mozilla.org/jobs?repo=try&revision=6ac704e22758a68c355df34ce88daa8d5ae780ae
|
|
||
Comment 14•2 years ago
|
||
|
||
Comment 15•2 years ago
|
||
| bugherder | ||
|
||
Updated•2 years ago
|
|
|
||
Comment 16•2 years ago
|
||
Hello! I can confirm that this issue is resolved with firefox 105.0 and 104.0b7 on Ubuntu 22 and Widows 10. I will update the flags accordingly and mark this issue as VERIFIED->FIXED.
Thank you and have a nice day!
Description
•